General Data Protection Regulation (GDPR)
Governance & ComplianceDefinition
EU regulation enforcing transparent personal data handling and user rights.
Technical Details
The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union, which came into effect on May 25, 2018. It aims to enhance individuals' control over their personal data and to establish a uniform data protection framework across the EU. The regulation emphasizes principles such as data minimization, purpose limitation, and transparency. Organizations are required to implement technical and organizational measures to ensure the security and confidentiality of personal data, conduct Data Protection Impact Assessments (DPIAs) when necessary, and appoint a Data Protection Officer (DPO) if they process large volumes of personal data. GDPR also introduces significant penalties for non-compliance, which can reach up to 4% of a company's global annual turnover or €20 million, whichever is higher.
Practical Usage
In practice, organizations that process personal data of individuals within the EU must comply with GDPR requirements, regardless of where the organization is based. This includes obtaining explicit consent from individuals before collecting their data, ensuring data portability, and providing the right to erasure (the 'right to be forgotten'). Companies often conduct audits of their data processing activities, implement privacy policies, and train employees on data protection practices. Tools and systems must be put in place to manage data access, ensure data integrity, and respond to data breaches within the stipulated 72-hour notification period.
Examples
- A company offering online services to EU residents must provide clear information about how it collects, uses, and stores personal data, along with obtaining explicit consent from users.
- An e-commerce platform that collects customer data must allow users to download their data in a commonly used format and delete their account upon request, complying with the right to data portability and erasure.
- A health service provider must conduct a Data Protection Impact Assessment before implementing a new patient management system to identify and mitigate risks to personal data.